Fabric connector event trigger

With the Fabric Connector Event trigger, any supported Fabric connector is able to trigger an automation stitch on the FortiGate based on a specific event defined on the Fabric connector. Currently, only FortiDeceptor 4.1 supports this trigger for the Insider Threat, Notify Ban, and Notify Unban events.

In the following example, an authorized FortiDeceptor in the Security Fabric deploys a decoy called ubuntu16 configured with SSH, SAMBA, HTTP, and HTTPS services.

This example assumes the Security Fabric is already configured. Refer to Configuring the root FortiGate and downstream FortiGates and FortiDeceptor for detailed configuration steps. On the root FortiGate, the Allow downstream device REST API access option must be enabled (set downstream-access enable). The minimum permission required for the selected Administrator profile is Read/Write for User & Device (set authgrp read-write).

Three stitches are configured, one for each FortiDeceptor trigger type:

Stitch name	Fabric connector event trigger	Actions
fortideceptor_threat	Insider threat	Email and IP ban
fortideceptor_ban	Notify ban	Email and IP ban
fortideceptor_unban	Notify unban	Email and CLI script

To configure stitches with the Fabric connector event trigger in the GUI:

Configure the triggers:

Go to Security Fabric > Automation, select the Trigger tab, and click Create New.

In the Security Fabric section, click Fabric Connector Event and enter the following:

Name	fdc_Insider_Threat
Description	Insider_Threat
Connector	Select the FortiDeceptor connector
Event Name	Insider Threat

Click OK.

Repeat these steps to create two more triggers with the following settings:

Name	fdc_Notify_Ban
Description	Notify_Ban
Connector	Select the FortiDeceptor connector
Event Name	Notify Ban

Name	fdc_Notify_Unban
Description	Notify_Unban
Connector	Select the FortiDeceptor connector
Event Name	Notify Unban

Configure the actions:

Go to Security Fabric > Automation, select the Action tab, and click Create New.
In the Security Response section, click IP Ban and enter the name, fdc_ban-ip.
Click OK.

Repeat these steps to create an Email (in the Notifications section) and a CLI Script (in the General section) action with the following settings:

Email
Name	email_log
To	Enter an email address
Subject	CSF stitch alert

CLI Script
Name	fdc_unban
Script	diagnose user banned-ip delete src4 %%log.srcip%%
Administrator profile	super_admin

Configure the fortideceptor_threat stitch:
1. Go to Security Fabric > Automation, select the Stitch tab, and click Create New.
2. Enter the name, fortideceptor_threat.
3. Click Add Trigger. Select fdc_Insider_Threat and click Apply.
4. Click Add Action. Select email_log and click Apply.
5. Click Add Action. Select fdc_ban-ip and click Apply.
6. Click the Add delay located between both actions. Enter 5 and click OK.
7. Click OK.
Configure the fortideceptor_ban stitch:
1. Go to Security Fabric > Automation, select the Stitch tab, and click Create New.
2. Enter the name, fortideceptor_ban.
3. Click Add Trigger. Select fdc_Notify_Ban and click Apply.
4. Click Add Action. Select email_log and click Apply.
5. Click Add Action. Select fdc_ban-ip and click Apply.
6. Click the Add delay located between both actions. Enter 5 and click OK.
7. Click OK.
Configure the fortideceptor_unban stitch:
1. Go to Security Fabric > Automation, select the Stitch tab, and click Create New.
2. Enter the name, fortideceptor_unban.
3. Click Add Trigger. Select fdc_Notify_Unban and click Apply.
4. Click Add Action. Select email_log and click Apply.
5. Click Add Action. Select fdc_unban and click Apply.
6. Click the Add delay located between both actions. Enter 5 and click OK.
7. Click OK.

To configure stitches with the Fabric connector event trigger in the CLI:

Configure the triggers:

config system automation-trigger
    edit "fdc_Insider_Threat"
        set description "Insider_Threat"
        set event-type fabric-event
        set serial "FDC-VMTM210000**"
        set fabric-event-name "insider_threat"
    next
    edit "fdc_Notify_Ban"
        set description "Notify_Ban"
        set event-type fabric-event
        set serial "FDC-VMTM210000**"
        set fabric-event-name "notify_ban"
    next
    edit "fdc_Notify_Unban"
        set description "Notify_Unban"
        set event-type fabric-event
        set serial "FDC-VMTM210000**"
        set fabric-event-name "notify_unban"
    next
end

Configure the actions:

config system automation-action
    edit "fdc_ban-ip"
        set action-type ban-ip
    next
    edit "fdc_unban"
        set action-type cli-script
        set script "diagnose user banned-ip delete src4 %%log.srcip%%"
        set output-size 10
        set timeout 0
        set accprofile "super_admin"
    next
    edit "email_log"
        set action-type email
        set email-to "*******@fortinet.com"
        set email-subject "CSF stitch alert"
    next
end

Configure the stitches:

config system automation-stitch
    edit "fortideceptor_threat"
        set trigger "fdc_Insider_Threat"
        config actions
            edit 1
                set action "email_log"
                set required enable
            next
            edit 2
                set action "fdc_ban-ip"
                set delay 5
                set required enable
            next
        end
    next
    edit "fortideceptor_ban"
        set trigger "fdc_Notify_Ban"
        config actions
            edit 1
                set action "email_log"
                set required enable
            next
            edit 2
                set action "fdc_ban-ip"
                set delay 5
                set required enable
            next
        end
    next
    edit "fortideceptor_unban"
        set trigger "fdc_Notify_Unban"
        config actions
            edit 1
                set action "email_log"
                set required enable
            next
            edit 2
                set action "fdc_unban"
                set delay 5
                set required enable
            next
        end
    next
end

Verification

A device with IP 172.16.200.33 uses SSH to access the decoy (ubuntu16) deployed in the FortiDeceptor. The FortiDeceptor will detect the attacker IP 172.16.200.33, automatically quarantine it, and send the insider threat notification to the FortiGate. This notification will trigger the fortideceptor_threat stitch due to the insider threat event trigger, so an email alert is sent and the attacker IP (172.16.200.33) is banned.

In FortiDeceptor, if the attacker IP (172.16.200.33) is manually blocked or unblocked, the FortiDeceptor will send out the internal block or unblock notification to FortiGate (see Quarantine Status for more details). This notification will trigger the fortideceptor_ban or fortideceptor_unban stitch due the notify ban or unban event trigger. An email alert is sent, and based on the event, the IP is banned or the CLI script runs to unban the IP.

To view the quarantine details in FortiDeceptor:

Go to Fabric > Quarantine Status.
1. Automatic quarantine:
2. Manual block or unblock:

To confirm that the stitch was triggered in the FortiOS GUI:

Go to Security Fabric > Automation and select the Stitch tab.
1. Triggered insider threat:
2. Triggered notify ban or unban:

To view the quarantined IP details in the FortiOS CLI:

# diagnose user banned-ip list
src-ip-addr       created                  expires                  cause
172.16.200.33     Wed Jan  5 15:57:41 2022 indefinite               Administrative

If the IP is unbanned by the stitch, the list will be empty:

# diagnose user banned-ip list
src-ip-addr       created                  expires                  cause

Fabric connector event trigger

In the following example, an authorized FortiDeceptor in the Security Fabric deploys a decoy called ubuntu16 configured with SSH, SAMBA, HTTP, and HTTPS services.

Three stitches are configured, one for each FortiDeceptor trigger type:

Stitch name	Fabric connector event trigger	Actions
fortideceptor_threat	Insider threat	Email and IP ban
fortideceptor_ban	Notify ban	Email and IP ban
fortideceptor_unban	Notify unban	Email and CLI script

To configure stitches with the Fabric connector event trigger in the GUI:

Configure the triggers:

Go to Security Fabric > Automation, select the Trigger tab, and click Create New.

In the Security Fabric section, click Fabric Connector Event and enter the following:

Name	fdc_Insider_Threat
Description	Insider_Threat
Connector	Select the FortiDeceptor connector
Event Name	Insider Threat

Click OK.

Repeat these steps to create two more triggers with the following settings:

Name	fdc_Notify_Ban
Description	Notify_Ban
Connector	Select the FortiDeceptor connector
Event Name	Notify Ban

Name	fdc_Notify_Unban
Description	Notify_Unban
Connector	Select the FortiDeceptor connector
Event Name	Notify Unban

Configure the actions:

Go to Security Fabric > Automation, select the Action tab, and click Create New.
In the Security Response section, click IP Ban and enter the name, fdc_ban-ip.
Click OK.

Repeat these steps to create an Email (in the Notifications section) and a CLI Script (in the General section) action with the following settings:

Email
Name	email_log
To	Enter an email address
Subject	CSF stitch alert

CLI Script
Name	fdc_unban
Script	diagnose user banned-ip delete src4 %%log.srcip%%
Administrator profile	super_admin

Configure the fortideceptor_threat stitch:
1. Go to Security Fabric > Automation, select the Stitch tab, and click Create New.
2. Enter the name, fortideceptor_threat.
3. Click Add Trigger. Select fdc_Insider_Threat and click Apply.
4. Click Add Action. Select email_log and click Apply.
5. Click Add Action. Select fdc_ban-ip and click Apply.
6. Click the Add delay located between both actions. Enter 5 and click OK.
7. Click OK.
Configure the fortideceptor_ban stitch:
1. Go to Security Fabric > Automation, select the Stitch tab, and click Create New.
2. Enter the name, fortideceptor_ban.
3. Click Add Trigger. Select fdc_Notify_Ban and click Apply.
4. Click Add Action. Select email_log and click Apply.
5. Click Add Action. Select fdc_ban-ip and click Apply.
6. Click the Add delay located between both actions. Enter 5 and click OK.
7. Click OK.
Configure the fortideceptor_unban stitch:
1. Go to Security Fabric > Automation, select the Stitch tab, and click Create New.
2. Enter the name, fortideceptor_unban.
3. Click Add Trigger. Select fdc_Notify_Unban and click Apply.
4. Click Add Action. Select email_log and click Apply.
5. Click Add Action. Select fdc_unban and click Apply.
6. Click the Add delay located between both actions. Enter 5 and click OK.
7. Click OK.

To configure stitches with the Fabric connector event trigger in the CLI:

Configure the triggers:

config system automation-trigger
    edit "fdc_Insider_Threat"
        set description "Insider_Threat"
        set event-type fabric-event
        set serial "FDC-VMTM210000**"
        set fabric-event-name "insider_threat"
    next
    edit "fdc_Notify_Ban"
        set description "Notify_Ban"
        set event-type fabric-event
        set serial "FDC-VMTM210000**"
        set fabric-event-name "notify_ban"
    next
    edit "fdc_Notify_Unban"
        set description "Notify_Unban"
        set event-type fabric-event
        set serial "FDC-VMTM210000**"
        set fabric-event-name "notify_unban"
    next
end

Configure the actions:

config system automation-action
    edit "fdc_ban-ip"
        set action-type ban-ip
    next
    edit "fdc_unban"
        set action-type cli-script
        set script "diagnose user banned-ip delete src4 %%log.srcip%%"
        set output-size 10
        set timeout 0
        set accprofile "super_admin"
    next
    edit "email_log"
        set action-type email
        set email-to "*******@fortinet.com"
        set email-subject "CSF stitch alert"
    next
end

Configure the stitches:

config system automation-stitch
    edit "fortideceptor_threat"
        set trigger "fdc_Insider_Threat"
        config actions
            edit 1
                set action "email_log"
                set required enable
            next
            edit 2
                set action "fdc_ban-ip"
                set delay 5
                set required enable
            next
        end
    next
    edit "fortideceptor_ban"
        set trigger "fdc_Notify_Ban"
        config actions
            edit 1
                set action "email_log"
                set required enable
            next
            edit 2
                set action "fdc_ban-ip"
                set delay 5
                set required enable
            next
        end
    next
    edit "fortideceptor_unban"
        set trigger "fdc_Notify_Unban"
        config actions
            edit 1
                set action "email_log"
                set required enable
            next
            edit 2
                set action "fdc_unban"
                set delay 5
                set required enable
            next
        end
    next
end

Verification

To view the quarantine details in FortiDeceptor:

Go to Fabric > Quarantine Status.
1. Automatic quarantine:
2. Manual block or unblock:

To confirm that the stitch was triggered in the FortiOS GUI:

Go to Security Fabric > Automation and select the Stitch tab.
1. Triggered insider threat:
2. Triggered notify ban or unban:

To view the quarantined IP details in the FortiOS CLI:

# diagnose user banned-ip list
src-ip-addr       created                  expires                  cause
172.16.200.33     Wed Jan  5 15:57:41 2022 indefinite               Administrative

If the IP is unbanned by the stitch, the list will be empty:

# diagnose user banned-ip list
src-ip-addr       created                  expires                  cause

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

Administration Guide

Fabric connector event trigger

Fabric connector event trigger

To configure stitches with the Fabric connector event trigger in the GUI:

To configure stitches with the Fabric connector event trigger in the CLI:

Verification

To view the quarantine details in FortiDeceptor:

To confirm that the stitch was triggered in the FortiOS GUI:

To view the quarantined IP details in the FortiOS CLI:

Fabric connector event trigger

Fabric connector event trigger

To configure stitches with the Fabric connector event trigger in the GUI:

To configure stitches with the Fabric connector event trigger in the CLI:

Verification